If和else聲明，測試用戶帳戶狀態

Question

我想測試用戶帳戶的狀態。 如果該帳戶是活動的我重定向他到用戶頁面 如果帳戶是不活躍我重定向他有錯誤

這裏再次登錄網頁是我的代碼

<?php 

require('conexion.php'); 

$username = ''; 
$password = ''; 

if (isset($_POST['username']) || !empty($_POST['username'])) 
    $username = $_POST['username']; 
if (isset($_POST['password']) || !empty($_POST['password'])) 
    $password = $_POST['password']; 

$q1 = "select * from user where username='" . $username . "' and password='" . $password . "' "; 
$r1 = $db->query($q1); 
$i = 0; 
echo $q1; 

while ($d1 = $r1->fetch()) { 
    $i++; 
    //$id_perso = $d1['id_perso']; 
    $type = $d1['type']; 
    $nom = $d1['nom']; 
    $prenom = $d1['prenom']; 
    $statut = $d1['statut']; 
    $user_id = $d1['id_user']; 
} 

if ($i == 1) { // START IF 
    session_start(); 
    $_SESSION['username'] = $_POST['username']; 
    $_SESSION['password'] = $_POST['password']; 
    $_SESSION['type'] = $type; 
    $_SESSION['nom'] = $nom; 
    $_SESSION['prenom'] = $prenom; 
    $_SESSION['statut'] = $statut; 
    $_SESSION['user_id'] = $user_id; 

    if ($statut = 'actif') { 
     if ($_SESSION['type'] == 'admin') { 
      $path = "admin/index.php"; 
     } 
     if ($_SESSION['type'] == 'professeur') { 
      $path = "professeur/index.php"; 
     } 
     if ($_SESSION['type'] == 'doctorant') { 
      $path = "doctorant/index.php"; 
     } 

     header("Location:".$path); 
    } elseif ($statut = 'inactif') { 
     header("location:login.php?inactif"); 
    } 
} else { 
    header("location:login.php?error=1"); 
} 

?> 

Answer 1

何不你是否使用布爾值，應該會更容易。

/* 
1. Get Status from Database 
2. When the user is active, you set the boolean true, else false. */ 
$booleanVar = false; 

if($booleanVar) { 
// user is active 
} else { 
// user is inactive 
} 

編輯： 用頭重定向工作原理是這樣的，我認爲它不區分大小寫：

header('Location: somesite.php?abc'); 

你也有檢查值「==」（平等）或「=== 「（對於相同）

Answer 2

你可以簡單地得到同樣的結果，如果你這樣做了簡單的查詢：

您檢查密碼和用戶名的比賽，並檢查了ACCO unt已被激活。

$sql = 'SELECT `id` FROM `user` WHERE `username` = '$username' AND `password` = '$password' AND `statut` = 1' 

然後，您可以運行查詢和檢查的行數大於0

$sql = $db->query($sql); 
$results = $sql->fetch(); 

if (count($results) > 0) { 
    // Account is activated 
} else { 
    header("location: login.php"); 
    exit; 
} 

你也容易受到SQL-注入直接插入你的變量到你的查詢，至極Edhurtig注意！預先注入SQL注入的最好方法是使用PDO準備好的語句。

Answer 3

首要的是：不要存儲密碼。對安全散列算法（而不是md5）或使用Google，Facebook，Github等第三方認證服務進行一些研究。

二：此代碼是容易通過$ _ POST [「用戶名」]和$ _ POST [「密碼」]

而且SQL注入，這是一個有點不清楚什麼是被問，但我覺得這是很重要指出上述問題，因爲它們非常關鍵。

這是我能夠清理的東西。我強烈建議使用第三方認證服務，儘管

<?php 
require('conexion.php'); 
$salt = "random_string"; 

$username=''; 
$password=''; 
if (isset($_POST['username'])||!empty($_POST['username']))  $username = $_POST['username']; 
if (isset($_POST['password'])||!empty($_POST['password']))  $password = $_POST['password']; 

$hashed_password = some_hashing_function_1000_times($password, $salt); 

$q1="SELECT * FROM user WHERE `user`.`username` = '%s' AND `user`.`password` = '%s' LIMIT 1"; 

// I hope that $db has a prepare function, it prevents SQL injections from $_POST['username'] and $_POST['password'] 
$sql = $db->prepare($q1, $username, $hashed_password); 

$r1= $db->query($q1); 

$user = $r1->fetch(); 

if($user) { // START IF 
    session_start(); 
    $_SESSION['username'] = $_POST['username']; 
    $_SESSION['password'] = $_POST['password']; 
    $_SESSION['type'] = $type; 
    $_SESSION['nom'] = $nom; 
    $_SESSION['prenom'] = $prenom; 
    $_SESSION['statut'] = $statut; 
    $_SESSION['user_id'] = $user_id; 

    if($statut == 'actif'){ 
    if($_SESSION['type']=='admin') { $path="admin/index.php"; } 
    if($_SESSION['type']=='professeur'){ $path="professeur/index.php"; } 
    if($_SESSION['type']=='doctorant') { $path="doctorant/index.php"; } 
    header("Location: " . $path); 
    exit(); 
    } 
    else if ($statut == 'inactif') { 
    header("Location: login.php?inactif"); 
    exit(); 
    } 
} 

header("Location: login.php?error=1"); 
exit(); 

// No Closing PHP tag at end of file